I have been asked if BigFix can report on which servers are running which version of TLS in our environment. I believe this is doable with a custom property that looks at the registry entries but I am unsure how to write the relevance.
Am I understanding custom properties correct? If so, any help with the relevance would be much appreciated. Side note, would this store the TLS information in the database? The agency I am supporting is dead set on using SSRS for reporting so having the data in the database would solve another issue.
Can you provide the registry locations you are interested in? Examples? Screenshots?
TLS can refer to the web browsers, windows itself, or it could refer to web servers (IIS or others), or it could refer to many other applications on the system that may have their own TLS settings. It doesn’t really matter what it is as long as you give us the right registry locations to pull the data from, but you haven’t given enough info to really write anything.
Property results are pulled into the BigFix database, so you can retrieve them there, or through the REST API.
Thanks for the response. Let me see if I can be more clear. The TLS entries we want to monitor are located here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS\1.x\Server
Im hoping to be able to see the results for DisabledByDefault and Enabled for TLS 1.0, 1.1, and 1.2.
What is the outcome you are looking for? If you are looking to see if TLS is disabled, I believe you are looking for something like this:
Property
Name - Is TLS 1.0 Server Disabled?
Relevance - if (exists key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” of native registry) then exists value “Enabled” whose (it as integer = 0) of key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” of native registry else false
Im hoping t to log the results for each 1.0, 1.1, and 1.2 setting. For each 1.0, 1.1, and 1.2 Id like to know if it IS/ISNOT disabled by default and if it IS/ISNOT currently enabled. Below is kind of what I am hoping to get for data. Thanks for the answers so far. Starting to look promising.
Easiest to formulate as 3 results and stick them together with semicolon, using the pipe operator to catch our existence errors. I used 0 and 1 instead of Yes and No to avoid another layer of if/then/else
Try:
Q: (name of it & (value "DisabledByDefault" of it as string |"0") & (value "Enabled" of it as string |"0")) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\server\TLS 1.0" of native registry|"TLS 1.0 0 0"; (name of it & (value "DisabledByDefault" of it as string |"0") & (value "Enabled" of it as string |"0")) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\server\TLS 1.1" of native registry|"TLS 1.1 0 0";(name of it & (value "DisabledByDefault" of it as string |"0") & (value "Enabled" of it as string |"0")) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\server\TLS 1.2" of native registry|"TLS 1.2 0 0"
A: TLS 1.0 0 0
A: TLS 1.1 0 0
A: TLS 1.2 0 0
